ON THE SPLITTING OF PRIMES IN K(E[n}) 
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Q , Abstract. We underline the role that Hilbert Class Polynomials play 

1 in the decomposition of primes in torsion fields arising from elliptic 

■ curves over number fields. As an application of the main result, we char- 

£\j _ acterize the primes not dividing n that are completely split in K(E[n])/ K, 

where E is an elliptic curve over a number field K, and n is a positive 
^ I . integer. 
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Let E be an elliptic curve over a number field K, and n a positive integer. 
The absolute Galois group Gk of K, with respect to an algebraic closure K 



£> j of K, acts naturally on the i^-points of the n-torsion subgroup E[n] of E. 

| As it is well known, such an abelian group is free of rank two over Z/nZ. 

The representation 



PE,n : G K — > Aut^H) ~ GL 2 (Z/nZ) 

identifies the Galois group of the extension K(E[n])/K obtained joining to 
K the "coordinates" of the n-torsion points of E with a certain subgroup 
G Eyn C Aut(£H). 

d\ If p is a finite prime of K not belonging to the finite set Se of bad primes 

for E and not dividing n, then K(E[n])/K is unramified above p. It is a 
problem of some interest to determine the conjugacy class Cp of Ge,u defined 
by a Frobenius element Frob p at p. Already when n = t is a prime number, 
the sole knowledge of the trace o p of Frobp does not suffice, in general, to 
find Cp. The point is that if I divides the discriminant A p = ap 2 — 4|fcp|, where 
kp is the residue field of K at p, then Frobp acts on E[£](K) with only one 
eigenvalue, rational over F^, and whether such an action is semi-simple or 
not cannot be decided from its trace a p mod I. Notice that, if E does not 
have Complex Multiplication then, by a celebrated result of Serre (cf. [5]), 
both possibilities occur for suitable p and I. 



2 



TOMMASO GIORGIO CENTELEGHE 



As already observed in pQ, what turns out to be crucial to tell these two 
cases apart is the ^-divisibility of the index 

b p = [End k9 (E p ):Z[n Ep ]}, 

where Ep denotes E mod p, and tte p is the Frobenius isogeny of Ep rela- 
tive to kp. In fact, more precisely, the £-part of bp, together with the trace 
a p , determines completely the £-adic Tate module Ti(Ep) and thus, by the 
Neron-Ogg-Safarevic criterion, the local structure at p of Ti(E). A conse- 
quence relevant for our original problem is that the pair (a p ,6 p ) determines 
the conjugacy class c p in Ge,u C Aut(E[n]), for all n not divisible by p. 
Equivalently, the splitting of p in K(E[n])/K can be described from (a p , b p ). 

Our contribution to the vast literature on the subject is to indicate a 
recipe for obtaining bp, in almost all cases, from a p and from the j-invariant 
jE of The recipe uses mod p congruence properties of the algebraic 
numbers obtained evaluating at je various Hilbert Class Polynomials, it 
essentially relies on the Lifting Lemma of Deuring. The main application we 
give is a characterization of the primes p\n that are completely split in the 
extension if(£[n])/ir@ This result stresses the role played by Hilbert Class 
Polynomials in the description reciprocity law of the extension K(E[n])/K. 

In £[2] we recall the definition of Hilbert Class Polynomials associated to 
imaginary quadratic orders, and use Deuring's Lifting Lemma to study their 
reduction properties modulo p. In $3] we analyze endomorphism rings of 
elliptic curves Ep over finite fields, we prove the result that enables one to 
recover the index bp from je p ■ After constructing in $4] a normal form for 
endomorphisms of rank-two, free Z^-modules, in £}5] we apply the previous 
result to the study of T^Ep). In £}6l finally, the main application to elliptic 
curves over number fields is given. 

This work was inspired by several interesting discussions with professor 
Merel, who I would like to thank. He asked for a criterion for deciding 
whether a modular Galois representation p : Gq —> GL2(F£) is semi-simple 
or not locally at an unramified prime p ^ i. When p comes from the ^-torsion 
of an elliptic curve E over Q, the result of this paper provides a answer to 
his question. However, this is not quite what was sought by Merel, who 
wanted to identify a certain Hecke module giving rise to p which would give 
access to the above local information at p. While preparing this paper I 

^Our method fails for the finitely many primes p for which E p is special (cf. Def. 13.21) 
If n — 2, then primes p for which E p is special have to be disregarded 
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received invaluable help and precious advice from professor Bockle, whose 
endless energy in our mathematical discussions has always impressed me. I 
thank him heartily. 

2. Hilbert Class Polynomials and mod p reduction 

Thanks to Deuring's Lifting Lemma, and to the properties of good reduc- 
tion of characteristic zero CM elliptic curves, roots of Hilbert Class Polyno- 
mials in characteristic p are known to be j-invariants of elliptic curves with 
prescribed Complex Multiplication. Expanding on ([3J, §1), we recall a few 
basic facts used throughout the paper. 

If k is any field and R an algebraic closure of it, we will say that an elliptic 
curve A over k has Complex Multiplication by an order O of an imaginary 
quadratic field if there exists an embedding t : O — > End s (^4 ® K R) that is 
maximal, in the sense that all the endomorphisms of A® K R lying in t(0)(g)Q 
belong to l{0). 

Let D E Z be a negative discriminant, by which we mean an integer 
D < such that D = or 1 mod 4, and let Od be the order of Q(\AD) 
of discriminant D. The class group Cl^ of Od is the group of isomorphism 
classes of rank one, projective O^i-modules, the product structure being 
induced by ®o D - Its cardinality, the class number of Od, is denoted by ho- 

Once an embedding of Od in the field C of complex numbers is chosen, 
elements of Od can be thought of as homothety classes of lattices A C C 
such that Endc(A) = Od- Equivalently, Od parametrizes isomorphism 
classes of complex elliptic curves with CM by Od- The theory of Complex 
Multiplication says that the j-invariants of elements of Od are algebraic 
integers describing a GQ-orbit in Q C C and generating an abelian extension 
of Q(V r D) known as Hilbert Class Ring attached to Od (cf. [2], §9, §11). 

The Hilbert Class Polynomial Pd{x) associated to D is defined as 

a) p D {x)= n (x-j c/a ), 

aeC\ D 

it has integer coefficients, its degree is equal to Iid, and it is irreducible in 
Q[x]. The choice of the other embedding oi Od into the complex numbers 
has the effect of replacing j c / a by its complex conjugate, and does not affect 
the definition of Pd{x). 

Let now p be a prime number, and p a prime of Q of residual characteristic 
p and residue field F p . Since jc/a is an algebraic integer, for o S C1d, there 
exist a number field KcQcC and a if-model E a of C/o which has good 
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reduction E a at p. Up to enlarging K, we can even assume the CM of C/a 
be attained by the model E a . 

For any prime £ 7^ p, there is a natural identification of £-adic Tate mod- 
ules Ti(E a ) = Ti(E a ) (cf. [6], Lemma 2) using which one can show that the 
torsion of the cokernel of the natural, injective reduction map 

(2) r :End K (E a ) ^End kp (E a ), 

is a p-group, where kp denotes the residue field of K at p (cf. [4], 13 §3, 
Lemma 1). In fact, more precisely, we have that (Im(r) ® Q) n End kp (E a ) is 
the order of Im(r) (£> Q which coincides with r(Endf ( -(£' a )) locally at every 
I, and which is maximal at p (cf. [TO], Thm. 4.2). 

Since, moreover, the injection induced by extension of scalars 

End kp {E a ) — > End Fp (£ a ® fcp F p ), 

has torsion free cokernel (cf. [6], §4), we conclude that: 

Proposition 2.1. Any root of the reduction modulo p of Pd{x) is the j- 
invariant of an elliptic curve E over F p for which there exists an embedding 
i : Op — >■ Endp (E) whose cokernel has p-power torsion. In particular, if 
Od is maximal atp then the roots of Pd(%) modp are j -invariants of elliptic 
curves over F p with CM by Or>. 

From the Lifting Lemma of Deuring (cf. [3], 15 §5, Thm. 14), and using 
the observations preceding Proposition ^. 11 we deduce the following converse 
statement: 

Proposition 2.2. Let E be an elliptic curve over F p which admits CM by 
Od- Then jg is a root of the mod p reduction of Pd{x). 

3. ENDOMORPHISM RINGS OF ELLIPTIC CURVES OVER FINITE FIELDS 

Let p be a prime number, k a finite field of characteristic p and size 
p r , and k an algebraic closure of k. If E is an elliptic curve over k, then 
denote by the "error term" p r + 1 — \E(k)\, by Re the ring Endk(E) 
of A;-endomorphisms of E, and by tte '■ E — > E the Frobenius isogeny of E 
relative to k. In this section we study the index 6^ = [Re : Z[tte]] of the 
subring generated by tte in Re- Before stating the main result, we introduce 
a family of polynomials. For a negative discriminant D set 

Vd{x) = J] P D '(x), 

O d cO d , 
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where Od 1 ranges through all the orders of Od <8> Q containing Od, and 
Pd'(x) is as defined in (pQ). Notice that an integer D' = or 1 mod 4 is the 
discriminant of an order O containing Od if and only if D'h? = D, for some 
integer h > 0, in which case h = [O : Od]- We extend the above definition 
by setting T > o(x) = 0, and Vd(x) = 1 when D < and D = 2 or 3 mod 
4. From now on, for a polynomial P{x) E Z[x] denote by P(x) G F p [x] its 
reduction modulo p. We adopt the convention for which any integer > 
divides infinity. 

Theorem 3.1. Let h be a positive integer not divisible by p, assume that 
h ^ 2 if E is special. Then h divides bE if and only if h 2 divides Ae and 
'Pae/^Ue) = o. 

Here A^ is the discriminant o? E — \p r of the polynomial (cf. ([3]) 

below), while the notion of special is given in Definition 13.21 Our interest in 
bE is motivated from the fact that the pair (aE,bE) determines the Galois 
structure of the £-adic Tate module of E, for any prime £ / p (cf. 33). 
In the ordinary case Theorem 13.11 is a consequence of the Deuring Lifting 
Lemma, and therefore well-known. The observation that it extends to the 
supersingular case contains perhaps some novelty. 

We begin by recalling a few basic facts on elliptic curves over finite fields. 
If a denotes the dual of a given isogeny a G Re, then the degree tte^e of 
the purely inseparable tte is p r ([8], II Prop. 2.11), and that of the separable 
(I-tte) (loc. cit, III Cor. 5.5) is (1 - 7r B )(l - tt e ) = \E(k)\. It follows that 
the trace tve + t^e is equal to the error term a^, and tte satisfies in Re the 
polynomial 

(3) f E {x) = x 2 - a E x +p r . 

The integer is divisible by p if and only if E is supersingular {loc. cit., 
V §4). The discriminant = a\ — Ap r of /e(x) is a non-positive integer 
(loc. cit., V Thm. 1.1), this is to say that tie is a Weil /c-number. 

Honda- Tate theory of abelian varieties over finite fields says that the 
polynomial fE(x) is an isogeny invariant which determines the /c-isogeny 
class of E (cf. [9]). It further implies that, as it is well known, the division 
algebra Re ® Q is isomorphic to the imaginary quadratic field Q(^A^) 
when A^ < 0, and to the unique quaternion over Q ramified at p and 
infinity when A^ = 0. The ring Re is an order of Re <8> Q, and 6_e is infinite 
if and only if Ae = 0. In this case E is supersingular, r = 2m is even, 
tte = cle/2 = ±p m , and Re is a maximal order ([10], Thm. 4.2). Conversely, 
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if E is supersingular then Ag need not be zero. However, there exists a 
finite extension k' jk such that the polynomial attached to E' = E®k k 1 has 
discriminant zero. When A^ < the Z-rank of the rational endomorphism 
of E jumps from 2 to 4 after the base extension k' /k. We refer to this as to 
the supersingular unstable case, which we investigate in some detail. 

The supersingular unstable polynomials Je(x) are subject to the condi- 
tion that p be not complete split in Q(y / A~e) (cf. [9j, Theoreme 1). This re- 
quirement, together with A^ < 0, characterizes them. The Weil /c-numbers 
showing up as their roots are imaginary quadratic integers of the form C,p r ^ 2 > 
where £ is some root of unity and p T l 2 a square root of p r . The non-splitting 
condition forces the following few possibilities for Je(x) (cf. [ID], Thm. 4.1): 



f E (x) 


P 


r 


A £ 


bE 


x 2 + p 2m+1 




2m + 1 


_4p2m+l 


p m or 2p m 


x 2 + p 2m 


^ lmod4 


2m 


_4p 2m 


p m 


x 2 ± p m x + p 2m 


^ lmod3 


2m 


_ 3p 2m 


p m 


x 2 ± p m+l x + p 2m+l 


2 or 3 


2m + 1 


-{4-p)p 2m+l 


p m 



Table 1. Supersingular unstable Weil polynomials 

We have included in the last column of the table the values of the index feg. 
These are computed from the corresponding A#, taking into account that 
Re is maximal locally atp (loc. cit., Thm. 4.2). The point is that, except for 
the case where p = 3 mod 4, r = 2m + 1 is odd, and /e( x ) = x 2 +p 2m+1 , the 
order Z[tte] is maximal at every prime I ^ p, and thus Re is the maximal 
order and the equality bE = p m readily follows. On the other hand, if p = 3 
mod 4 and /e( x ) = x 2 + p 2m+l then bE = 2p m or p m according to whether 
Re has discriminant — p or — Ap, respectively (in fact both cases do arise for 
suitable E (loc. cit., Thm. 4.2)). In Lemma [3. 3 1 we analyze to what extent is 
the j-invariant je of E sufficient to determine the value of bE in this critical 
case. We need first a definition. 

Definition 3.2. The elliptic curve E is special if p = 3 mod 4, r = 2m + 1 

is odd, f E (x) = x 2 +p 2m+1 , and j E = 1728. 

Lemma 3.3. Let p = 3 mod 4, and let E be an elliptic curve over k, with 
\k\ = p 2m+1 , with associated polynomial Je(x) = x 2 + p 2m+1 . If E is not 
special, then Re has discriminant —p if and only if P_ p (j'e) = 0, and has 
discriminant —Ap if and only if P_4 p (j^) = 0. 
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Proof. Prom the preceding discussion we have that the discriminant of Re 
is either — p or — Ap, therefore, by Proposition 12.21 we have that 

P^{j E )P-A P {jE) = 0. 

Moreover, the same proposition implies that P_ p (jE) vanishes if Re has 
discriminant —p. Therefore we are left with showing that if E is non special 
then P- p (Je) = implies that Re has discriminant —p. Since 1728 is the 
only supersingular invariant when p = 3, we may and will continue the proof 
assuming p > 3. 

We will argue in two steps: first we show that the vanishing of P_ p {jE) 
ensures the existence of a fe-form Eg of E which is /c-isogenous to E and for 
which Re has discriminant —p. Secondly, using that je 1728, we show 
that the ring of fc-endomorphisms of any fc-form of E is isomorphic to Re- 
Before carrying out this plan, we make a digression on the study fc-forms of 
E (cf. [8]). 

The absolute Galois group Gk acts in a natural way on the left of the 
group Autj^(-E (g)fc k). A 1-cocycle 9 of this action defines an elliptic curve 
Eq over k and an isomorphism ipg : Eg & — )■ E k such that, if a £ Gk 
is the arithmetic Frobenius of k, the isogeny HE e corresponds to 0(o-)tte 
under the identification End^(£ , e <S>fc k) = End^-E" ®£ k) induced by (pg. In 
particular, Endk(Eg) is identified with the subring of End^(E ®fc k) given 
by the centralizer of 9{a)'KE- This construction induces a bijection between 
H l (Gk, Aut^(i?(g>fcfc)) and the fc-forms of E, considered up to /c-isomorphism. 

Since ir E = — p 2m+ , the curve E acquires all of its geometric endomor- 
phisms over the degree 2 extension of k inside k, therefore the Galois action 
of Gk on End^(£'(X'fc k), which is non-trivial, becomes trivial when restricted 
to the index 2 subgroup. Moreover, the G^-invariant subring of this action 
is the ring Re viewed inside End^E" <g)fc k) via extension of scalars. 

Since any automorphism of End k (E 0k k) <g> Q is an inner one, we deduce 
that a acts on End^.(£'(8>fcfc) via the involution o~(<p) = KEf^E 1 - Since p > 3, 
the unit group of Aut^(i? (g)fe k) is cyclic of order 2, 4, or 6, and intersects 
Re only in ±1. Therefore the action of a 6 Gk on KvX^{E®k k) is given by 
inversion, and evaluation of cocycles at a induces an isomorphism 

H x {Gk,kvX- k {E ® k fc)) - Aut s (£® fc k)f kvX- k (E®k kf, 

so that H 1 (Gk, A.utk(E i&k k)) has order two. 

Let now yj— p 2m+1 be a fixed square root of — p 2m+1 in the maximal order 
O-p of Q(tte)- If P-pUe) = then, by Proposition 12.1} there exists an 
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embedding 



i : 0- p 



End s (£<g> fc k). 



The quantity l(\J— p 2m+1 ) defines an element of End^-EC*)^) whose reduced 
norm is p 2m+1 , the same as that of the Frobenius endomorphism tie of E 
relative to k. It follows that there exists a unit u E End^(-E (g)^ k) such that 



If now is the 1-cocycle of Gk valued in KvXj.(E ®^ k)) such that 0(a) = u, 
the construction described above leads to a /c-form Eg of E such that, tte 
corresponds to wke and the ring Re b corresponds to t(0_ p ), the centralizer 
of utte in End^-E" (8>fc k). Therefore Re b has discriminant — p and the first 
step of our program is complete. 

To prove the second step, observe that the assumption je ^ 1728 ensures 
that —1 G A\it^(E ®k k) is not a square. Therefore the 1-cocycle sending 
a to — 1 on the one hand describes the only non-trivial /c-form of E, on the 
other hand, it defines an elliptic curve over k whose ring of fc-endomorphisms 
is isomorphic to that of E, since the centralizer of — tte in End^-E <E>k k) is 
the same as that of tte- We conclude that if E is not special then the two 
non-isomorphic /c-forms of E have isomorphic fc-endomorphism rings. This 
completes the proof of the lemma. □ 

Remark 3.4. If E is an elliptic curve with Je( x ) = x 2 +p 2m+1 , special or 
not, then in order to find the discriminant of Re one may appeal to the 
two-torsion subgroup E[2] of E. It can be shown that Re has discriminant 
— p if and only if i?[2](/c) is all defined over k. This criterion is more practical 
for computations. 

Remark 3.5. From a computation on a certain lattice of the definite quater- 
nion ramified at p (cf. [3], §2), one can deduce that over any field k of order 
p 2m+1 , and with p = 3 mod 4, there are exactly two non-isomorphic special 
elliptic curves, up to isomorphism. For one of them Re has discriminant 
— p, for the other — 4p. 

We drop now any supersingular assumption on E, and give the proof of 
Theorem 13.11 

Proof. Assume first that E is ordinary. Then E has CM by the unique 
order Re = Endfc(-E) = End^(i? 0^ k) whose discriminant De satisfies 
DEb E = We deduce the theorem in this case from Propositions 12 . 1 1 and 
12.21 which imply that if D is a negative discriminant not divisible by p and 
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such that p splits completely in Q(y/D), then the roots of Pd{x) in k are 
precisely the j-invariants of all ordinary elliptic curves whose endomorphisms 
ring is isomorphic to Od. Where we also took into account the basic fact 
that an elliptic curve in characteristic zero with CM by an order of Q(V^D) 
is ordinary at a place or residual characteristic p if and only if p splits 
completely in Q(y/D). 

Let now E be supersingular. If E has all of its geometric endomorphisms 
defined over k (i.e., if = 0), then bp = oo and the theorem trivially 
holds since Vq{x) = 0. Lastly, if E belongs to the supersingular unstable 
case, then the theorem follows from our analysis of the index bp conduced 
above, and from Lemma 13.31 □ 

Remark 3.6. When bp is finite, its p-part of bp is trivial in the ordinary 
case and equal to p m , where r = 2m + 1 or r = 2m, in the superinsingular 
unstable case (cf. Table [I]). This completes the description of bp given in 
Theorem 13.11 



4. A matrix Lemma 

Let I be a prime number, T a free Z^-module of rank two, and V = 
T <g>z e Qi the Q^-vector space deduced from T. In this elementary section, 
independent from the rest of the paper, we construct an integral normal form 
for endomorphisms of T by identifying in Endz £ (T) a distinguished element 
in each orbit of the conjugation action of Autz^(T). Lemma 14.11 generalizes 
mutatis mutandis when is replaced by any discrete valuation ring. 

Let F E Endz^T) be an endomorphism of T, and let f(x) = x 2 + bx+c be 
its characteristic polynomial, with discriminant Sf = b 2 — 4c. We will think 
of Endz f (T) as an open subring of EndQ £ (V). Consider the Q^-subalgebra 
Cf of EndQ f (V) given by the centralizer of F, and set Rp = H Endz^, (T) . 
The ring Rp certainly contains Zie[F], let n(F) G Z>o U {00} be such that 

£ n ^ = [R F : Z e [F]}, 

where we interpret n(F) = 00 if [Rp : Z^[F]] is not finite. 

Lemma 4.1. The Autz e (T)-conjugacy class of F is uniquely determined by 
f(x) andn(F). F is central if and only if n(F) is infinite. If n(F) is finite 
then T is a free Rf -module of rank one. Moreover, there exist a unique 
integer A 6 Z, with < A < l n ( F ) — 1, and a Zp-basis of T with respect to 
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which F is represented by 

<«> (5 3 +r(F) C ::)• 

where ao and a\ are respectively the constant and linear term of the monic 
polynomial 

r MD f{e n(F) x + X)=X 2 + 2* + * + A2 + ^ +C , 
^ v ; £n(F) £2n(F) ' 

which has coefficients in Zg. Furthemore £ 2n ( F ') divides Sf, and ifn(F) > 
we have 

(5) A ^-- + ^-modr( F ). 

Proof. The ring i?p is an open, compact subring of Cf, and defines an order 
of it. Its rank as a Z^-module coincides with the dimension of Cf over Q^. 
Similarly, the Z^-rank of its subring Z([F] is the same as the Q^-dimension 
of Q^[F]. Since Cp is the four-dimensional EndQ £ (V) when F is central, and 
is two-dimensional and equal to Qe[F] otherwise, we see that F is central if 
and only if n(F) is infinite. The lemma is then clear in this case, and we 
continue assuming n(F) finite. 

The ring R F has a Z^-basis of the form (1,-F') where F' = (a + bF)/£ n(F \ 
for some a, b € Z^ not both divisible by I. Since the ^-adic integer b is a unit, 
for otherwise £ h ~ l F' — bFjl = ajt Z^ would belong to Rp, we conclude 
that F — b~ 1 a belongs to £ n ^Rp. Therefore, if A is the unique integer 
congruent to — b~ 1 a mod £ n ( F ) in the range {0; . . . ■ J £ n ( F ) — 1}, we see that 
F" = (F — X)/£ n ^ belongs to R F . Moreover, (1,F") defines a Z r basis of 
Rp, since it spans a sub-lattice of the correct index. 

Observe now that the endomorphism F" does not act via scalar multi- 
plication on T/£T, for otherwise there would be an integer A' such that 
(F" — X')/£ € Rf, which is not possible since 1 and F" span Rp over Zji. 
In particular, there exists an element e\ € T, with e\ g" £T, such that 
F"(ei) Z e ei +£T. This implies that the pair (ei,F"{e{)) is a Z^-basis of 
T, since the reductions mod £ of its elements generate T mod £. In partic- 
ular, the map Rp 3r-> ?"( e i) £ 7" is an isomorphism of i?p-modules, thus 
T is free of rank one over Rp. 

The characteristic polynomial f"{x) of F" has coefficients in Z^, since F" 
belongs to the order Rp, and is related to f(x) via the formula f"(x) = 

e -2n(F)j^n(F) x + x y j f Qq and 

ai are, respectively, the constant and linear 
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term of f"(x), then we easily see that the action of F" on T with respect to 
(ei,F"(ei)) is given by the matrix 

(! 

and that of F by formula in the lemma. Uniqueness of the class A mod 
gn(F) j g c i ear; anc [ ^he proof of the first part of the lemma is complete. 

We note that if Sr f is the discriminant of Rp, then basic properties of 
S imply that SfZi = £ 2n< *- F ^ 5r f Zi. In particular, £ 2n ( F ) divides Sf and, 
if n(F) > 0, the quantity Sf /(2£ n ^), which appears in ([5]), is integral. 
Furthermore we observe that when £ = 2 the discriminant Sr f is either a 
unit of Z2 or else belongs to 4Z2. The first case occurs if and only if f(x) is 
separable, Q2 [#]//(£) is isomorphic to either Q2 x Q2 or to the unramified 
extension of Q2, and Rf is the maximal order of Q2[x]/ f(x). 

We are only left with showing how A mod £ n ^ can be recovered from 
f(x) and from n(F), when n{F) > 0. It is enough to exploit the condition 
that the polynomial 

/<<(*) = r^n m mn x + x) = x ^ + ^±± x + £ + £ 

have coefficients in Z^. Observe that 2 A + 6 G £ n ( F ^Zi£ is equivalent to 
A = —6/2 mod 2~ 1 £ n ( F \ which gives © right away when £ > 2, since £ 2n ( F ) 
divides St. When £ = 2 we have that 4 divides Sf = b 2 — 4c, and hence 2 
divides b. In this case 2A + b G £ n ( F ^Zi gives 

A = -b/2 mod 2 n ( F > or A = -6/2 + 1< F ^ 1 mod 2 n ( F ). 

To decide which of the two possibilities above occurs we write 

£ 2n ( F *>a = A 2 + 6A + c = (A + 6/2) 2 + S f /4, 

and recall ourselves that Sf/2 2n ( F > = 5r p is either a unit of Z2 or it belongs 
to 4Z2. Now, in order for to be in Z2 we must have that A = —6/2 
mod 2< F ^ if 5 f /2 2n( - F 1 G 4Z 2 , and that A = -6/2 + 2< F ^~ l mod 2< F ^ if 
§ f / 2 M F ) e Z2j. In both cases we have 

A = -- + A__2"( F )" 1 mod 2^), 

2 4 • 2 2 (™( F )- 1 ) 

and the lemma is complete. □ 

Remark 4.2. The quantity n(F), finite or infinte, satisfies 

n(F) = sup{F mod is multiplication by a scalar}, 
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and thus £~ n ^ is the £-adic distance in Endz f (T) from F to the center Z^. 

Remark 4.3. Up to isomorphism, the lattices T' C V stable under F are 
parametrized by orders R' of Q^[-F] containing F, where R' is obtained 
from T' via the formula R' = Endz^(T') n Cp, and where the invariant 
n(F) attached to F : T' — > T' is the exponent of £ appearing in the prime 
factorization of [R' : Z^[F]]. In particular a monic polynomial f(x) = x 2 + 
bx + c G Zi£ [x] and an integer n > are the invariants attached to a certain 
non-scalar endomorphism F : T — >• T if and only if there is an order Rf C 
Q(\x\/ f(x) containing 2ii[x\/ fix) with index -P. When the discriminant 5f 
of f(x) is zero, such a ring Rp exists for any n; if f{x) splits in Qe[x] then 
i?F exists if and only if £ 2n divides 5f, if f(x) is irreducible in Qe[x] then 
i?F exists if and only if £ 2n divides <5//<5l, where 5l is the discriminant of 
the quadratic extension of defined by f(x). If £ > 2, this last condition 
is equivalent to require £ 2n to divide 5f, since 5l is in this case square-free. 



5. The £-adic Tate module T e (E) 

We keep the notation of Jj3]and we let £ be a prime number different from 
p. If E is an elliptic curve over the finite field k with p r elements, then the 
^-adic Tate module Ti(E) is a free, rank- two Z^-module over which Gk acts 
continuously. Using the index computation of Theorem 13. 11 and the integral 
normal form constructed in £JH we give an explicit recipe to determine the 
Galois action of Gk on T^{E). 

Observe that the action of the arithmetic Probenius Frob^ 6 Gk on Ti(E) 
is the same as that induced from tte via functoriality of T^. The ring Zi[tte] 
is reduced, since it is a subring of the division ring Re <8> Q, therefore T^-ke) 
is a semi-simple endomorphism of T((E) ® Qf It follows that the Galois 
structure of Ve(E) = Ti(E)®Qe is completely described by the characteristic 
polynomial of T^ite), which is /e(x). 

On the other hand, finding the G^-structure of the lattice T^{E) C Vi{E) 
requires, in general, an integral refinement of the information given by /e(x)- 
In fact, when Ae < 0, i.e., when Ti{tte) is not central, the isomorphism 
classes of G^-stable lattices are parametrized by orders of Q^e] contain- 
ing tte (cf. Remark I4.3[) . In particular, if Z^tte] is not maximal at £, 
in which case £ 2 divides Ae, then the invariant n{Tp{nE)) introduced in 
$4] may take several values. For example, we see that n{T^{ , KE)) is zero 
or non-zero according to whether the arithmetic Frobenius of k acts on 
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E[£] = T e (E)/m(E) as 



respectively, where A £ is the double root of Je(x) = mod I (cf. Lemma 
14. 1[) . It is clear that the distinction as to which of the two cases occurs cannot 
be operated using only the trace oe of Frob^. 

Definition 5.1. Let ni(E) be the exponent of t occurring in the £-part of 
&E, where we agree on setting ni(E) = oo when 6^ is not finite. 

By a theorem of Tate, the natural map 

r t : Re Z £ — > End Gfc (T^(£)) 

is an isomorphism (cf. [11], Thm. 6). Therefore we deduce that the £-adic 
valuation ni{E) of &£• is the same as the invariant n(T^(7TE)) defined in 21 
Applying now Lemma[4]to Ti(tte), together with Theorem 13.11 yields: 

Theorem 5.2. Up to isomorphism, the Galois module Tg(E) is determined 
by /e(x) and by ni(E). If ni(E) is infinite, then S Z and Frobfc acts 
on Ti{E) as multiplication by tie- If n i{E) is finite, then Tg(E) is a free 
Re <Si2i£-module of rank one. Moreover, there exists a Z^-basis ofT^E) and 
a unique integer A, with < A < l n ^ E ) — \, such that the action o/Frob^ 
on Ti{E) is given by 




where oq and a\ are the constant and linear term of the polynomial 

i -2n t (E)j E ^n t (E) x + x ^ 

which has coefficients in Z^. Furthermore, £ 2n e( E ) divides Ae and ifne(E) > 

we have 

(7) A = ? + -^ n od^. 
Assuming E not special if 1 = 2, we have 

(8) m(E) = sup{ £ 2i divides A E and Pa e /£^Ue) = 0}. 

i 

If E is special, with \k\ = p 2m+1 , then Ae = —4p 2m+1 and ri2(E) is either 

1 or according to whether E[2] is all defined over k or not, respectively. 
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Remark 5.3. If E is supersingular and Ae < 0, then, according to the 
computations of the index oe performed while proving Theorem 13 .1\ we see 
that n^{E) is always if £ > 2, and can at most be 1 if £ = 2. In particular, 
we observe that never acts via scalar multiplication on E[£], for any 
prime £ \ 2p. 

If n > is any integer not divisible by p, then Theorem 15. 21 can be applied 
to all prime factors of n to determine the G^-module E[n], where n has to 
be odd if E is special. We derive the following rationality criterion for E[n]: 

Corollary 5.4. Assuming n ^ 2 if E is special, the n-torsion E[n] is all 
defined over k if and only if: 

i) n 2 divides Ae and Pae/^Ue) = 0; 

ii) oe = 2 + =M- mod n*; 

where n* = 2n if n is even, and n* = n otherwise. 

Proof. If Ae = 0, then \k\ is an even power p 2m of p and tte = ±p m . In 
this case Frobfc acts via multiplication by tte on E[n], and in order for E[n] 
to be all defined over k we must have tte = 1 mod n. Since oe = 2ite, this 
congruence condition is equivalent to ii). Since i) is always satisfied when 
A^ = 0, the proof is completes in this case. 

We therefore continue assuming Ae < 0, and begin by reducing the corol- 
lary to the case where n is a prime power. Let n = Y\£ ee be the factorization 
of n into the product of non-trivial powers of distinct primes. If i) holds for 
n, then certainly so does for any of its divisors d, since VA E /n 2 ( x ) divides 
r PA E /d 2 ( x ) m Z[x]. Next, if n 2 divides A# and ii) holds for n, then it is clear 
that ii) holds as well for £ ee , for any £\n. To see this for £ = 2, in the case 
where n is even, notice that 

(9) = mod 2 e2+i , 

w n 2 e 2 

for, writing n = 2 e2 n', we have that 2 2e2+1 divides A E (1 — n'), since 

2 2e 2 

divides A^ and n' is odd. 

Conversely, assume that conditions i) and ii) both hold for the integers 
£ ee , for any prime £\n, then we show that they hold for n as well. To see 
this for condition i), assume first that E is ordinary. In this case E has CM 
by a unique order Oe of discriminant De, moreover the index h of Z[7Te] in 
Oe satisfies A^ = K 2 De- Condition i) holds for £ ei if and only if £ ei divides 
h (cf. Proposition 12.11 and Proposition \2.2\i . thus it holds for n as soon as it 
does so for all of its ^-primary parts. If E is supersingular, and with A# < 0, 
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we have already seen that the prime-top part of Ae divides 4 (cf. proof of 
Theorem 13. Therefore, if i) and ii) holds for any prime power £ ee with 
£\n, then n = 2, a prime power, and both i) and ii) are verified for n. 

After this reduction, we continue the proof in the case A^ < assuming 
n = £ e , for some prime number I ^ p, and some e > 1. Moreover, we also 
assume for the moment that I ^ 2 if E is special. According to Theorem 
15.21 there exists a basis of T^{E) with respect to which the action of Frobfc 
is given by a matrix of the form 

where ri£(E) is the £-adic valuation of and A is a certain integer. The 
torsion E\£ e \ is all defined over k if and only if 

l-Frob fc er-End Zf[Gfc] CZH£)), 

which, thanks to the above matrix description, amounts to have 

ne(E) > e, and A = 1 mod £ e . 

From (JSj) and (|7|) in the theorem, this is the same as having £ 2e divide Ae, 

'Pa e /M3e) = 0, and 

; — - = 1 mod £ . 

2 2£™(E) 

After multiplying by 2 both sides of the congruence, we finally get the state- 
ment of the corollary for n = £ e , provided that we observe that, when £ = 2, 
if condition i) holds then A E /2 n ^ = -A E /2 e mod 2 e+1 . 

To complete the proof we need to indicate why the corollary holds for 
n = 2 e and E special. The point is that, by assumption, we have e > 2. 
Therefore on the one hand E[£ e ] is never all defined over k, since n2(E) is 
either zero or one (cf . Theorem \5.2h , on the other hand n 2 does not divide 
Ae, which is equal to — 4p 2m+1 , where \k\ = p 2m + 1 ) and hence condition i) 
is not satisfied. □ 

6. Applications to elliptic curves in characteristic zero 

Let K be a finite extension of Q p , with integers 0, valuation prime p and 
residue field k p . Denote by Gk the absolute Galois group of K, with respect 
to the choice of an algebraic closure K of K, and by G v the corresponding 
absolute Galois group of k p . HE is an elliptic curve over K with good 
reduction E p at p, then the criterion of Neron-Ogg-Safarevic says that the 
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^-adic Tate module Tp(E) is unramified for any prime £ ^ p, and, moreover, 
there is a natural identification Ti(E) = Ti{Ep) which is Galois equivariant 
with respect to the map Gk — > Gp . 

In this setting it is therefore possible to apply the results of £[5]to describe 
the Galois structure of Tg(E), under the usual restriction of having Ep non- 
special if t = 2. In particular, if n is an integer not divisible by p, and odd 
if Ep is special, then Theorem 13.11 can be used to describe the unramified 
Cr if -module E[n](K) given by the n-torsion of E. More precisely, taking into 
account that E[n](K) decomposes canonically into the product of its f-parts, 
we see that Theorem 13.11 gives a procedure to determine the conjugacy class 
of the image of a Frobenius element Frobj^ in Aut(E[n](K)) ~ GL2(Z/nZ) 
starting from the j-invariant of Ep. 

Remark 6.1. When i = 2 and Ep is special, the question of whether the 
knowledge of je (and not just that of its reduction je v ) suffices to determine 
the Galois structure of T^{E) remains. 

We end the section and the paper with the main application of the results 
of Jj5]to a global setting. Let K be a number field, and E an elliptic curve 
over K with conductor VIe- If p is a discrete prime of K at which E has 
good reduction Ep, then let a p denote the corresponding error term, i.e., 
ap = \k p \ + 1 — Ep(kp), where k p is the residue field of K at p. Let n be any 
integer > 1, and let K(E[n]) be the smallest extension of K, inside a fixed 
algebraically closed field, where the n-torsion of E is defined. Then: 

Theorem 6.2. Let p be a discrete prime of K with p \ OT^n. Assume 
that Ep is not special if n = 2. Then p splits completely in the extension 
K(E[n])/K if and only if: 

i) n 2 divides Ae p = a 2 — 4|fc p | and "PA B|J /n 2 (j£) = mod p; 

ii) a p = 2 H — ^ mod n* ; 

where n* = 2n if n is even, and n* = n otherwise. 
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